France: It’s time to reassess cookie compliance

13 February 2020 Reed Smith Client Alerts

Home Perspectives France: It’s time to reassess cookie compliance

The entry into force of the GDPR earlier than the proposed ePrivacy Regulation has challenged companies with respect to their cookie policies and their implementation.

Given the delay in the adoption of an EU-wide regulation on e-privacy, national data protection authorities have taken the initiative in publishing guidelines on cookies requirements. The publication of guidelines by the German data protection authorities, followed by the Information Commissioner’s Office (ICO) (in early July 2019), prompted the French Data Protection Authority (CNIL) to update its own recommendations on the use of cookies on 18 July 2019, and these have now been supplemented by draft recommendations on practical steps.

Authors: Daniel Kadar

The purpose of the CNIL guidelines on the use of cookies and other tracking technologies dated 18 July 2019 was to supersede the CNIL’s previous – and now obsolete – recommendations, in particular with respect to the notion of valid consent. The new recommendations are deemed to provide practical guidelines from a technical standpoint. These recommendations are currently in draft form, as the CNIL has submitted them for public consultation until 25 February 2020 prior to adopting them.

Companies should take a closer look at the CNIL recommendations, as the end of the transition period is only a few months away, and then the CNIL will start enforcing its new cookies rules. Although the practical recommendations are officially “non-binding”, considering the short timeframe, they are likely to be seen as the best option available to companies looking to ensure both the compliance of their websites and the efficient management of website traffic.

Harmonisation between ICO and CNIL recommendations regarding consent requirements for the use of cookies and other trackers

The CNIL has followed the consent standards set by the ICO and the German data protection authorities: active and informed consent is now required prior to the use of cookies or any technology storing or accessing information on a user’s device.

More precisely, the CNIL recommendations stress that the GDPR rules on consent are fully applicable to the use of cookies and other trackers, which implies that a freely given, specific, informed and unambiguous indication of consent is required from users.

These clear requirements answer the main issue raised by companies regarding the status of implied consent: it is now established that silence or inaction resulting from continuous browsing on a website no longer constitutes valid consent.

Furthermore, the soft “opt-in” of having a pre-ticked box does not constitute valid consent either.

The CNIL has also stated that the obligation to obtain consent must not interfere with the requirement to obtain free consent: the user should be able to reject the use of cookies without it having an impact on their use of the relevant website. In that respect, the CNIL is stricter than the ICO with regard to the prohibition of cookie walls, which block users who do not consent to the use of cookies from accessing the website.

With respect to the requirement for “informed consent”, the CNIL makes no reference to cookie banners, but points out that consent must be given with a full understanding of the consequences of this decision. Therefore, it is the responsibility of companies to draft comprehensive and legible information, and to communicate it to users before obtaining their consent. In that respect, the CNIL recommends that the information communicated should include certain details, including an exhaustive list of the entities using cookies and their respective roles as well as the purposes of the cookies.

Unlike the ICO, the CNIL has given details of its approach to specific consent: the user should be able to give their consent to each of the different purposes for using cookies, as opposed to giving their global consent, unless they are made aware of all the purposes for which the cookies are used when first visiting the website.

In practical terms, the CNIL permits companies to create adaptable templates that allow users to give their consent to the use of each cookie for a specific purpose. This is in line with the CNIL’s decision, affirmed by the French Administrative Supreme Court (Conseil d’Etat) on 6 June 2018 (n°412589), that browser settings do not allow users to give valid consent, to the extent that trackers cannot be distinguished according to their purpose.

Special features of the French cookies guidance. In addition to the above, it appears from the CNIL recommendations that certain domestic features will remain with regard to the lawful use of cookies.

The CNIL provides for exceptions to the obtaining of consent for two categories of cookies:

Cookies exempted from the prior consent requirement

Trackers the use of which is strictly necessary for the provision of an online service, or that have the exclusive purpose of facilitating communication by electronic means, provided nevertheless that clear information is given to users regarding the presence and purpose of such trackers.
Analytic cookies if they meet the following requirements provided by the CNIL:

The cookies must be implemented by the website owner (or a subcontractor);
The user must be informed prior to their implementation;
The user must be able to easily opt out of the use of the trackers;
The purpose of the trackers is limited to measuring website traffic, evaluating analytics and making website modifications;
No cross-referencing can take place;
The use of geolocation must be limited; and
The cookies’ lifetime must not exceed 13 months starting from the first visit to the website, and the information collected through the trackers can be kept for a maximum period of 25 months.

The CNIL also strengthened the burden of proof, so that it falls on companies to demonstrate that consent has been obtained in accordance with the existing guidelines. In practice, website owners must keep two forms of evidence, i.e., evidence of receipt of the user’s consent (e.g., a timestamp of their consent), as well as proof that the technical mechanism used to obtain such consent is compliant with CNIL requirements and guarantees the validity of the consent (e.g., a screenshot of the consent).

Finally, the CNIL requires that users are able to withdraw consent at any time, via a user-friendly means that enable them to withdraw consent as easily as they gave it. With respect to this requirement, the CNIL recommends making a link available to website users at all times, which bears clearly visible wording such as “Manage my cookies”.

Large enforcement need to be expected from the CNIL.

In the current context, given that it seems unlikely that the ePrivacy Regulation will be ready for publication in the coming months, the cookies guidelines issued by national data protection authorities constitute the prevailing rules to which parties should refer. It is also worth noting that these guidelines will carry particular authority given that the cooperation mechanisms between national authorities, as provided for in the GDPR, do not relate to cookie regulation and that, under Article 82 of the French Data Protection Act (Loi “Informatique et Libertés”), the CNIL is considered to be solely responsible for investigating and sanctioning parties that use cookies or other trackers on computers and other terminals located in France. Such circumstances will have the effect of significantly extending the CNIL’s ability to sanction parties, and the CNIL has made it clear that it intends to target and sanction any party found in breach of its new set of guidelines.

Client Alert 2020-045

Cheng, Cue named among top lawyers for DeSPAC transactions

Industries

Services

Business Teams

PitchBook: Reed Smith leads on PE transactions in healthcare

You May Be Interested

Cheng, Cue named among top lawyers for DeSPAC transactions

PitchBook: Reed Smith leads on PE transactions in healthcare

Share Tools